> * Three or four Project master keys held by separate people, > maintainers' working keys must be signed by some n-out-of-m of them. > > * Revoke Project master keys by n-out-of-m of them; this way we can > gradually leave bad old keys behind. I don't think we need project master keys. What's wrong with just having a maintainer for a keyring, and distributing that. It could be signed by the keyring maintainer (Igor) and distributed widely. Then the only way it could be compromised is if Igor's private key and PGP passphrase were stolen. Even in the case of that unlikely event, we should still be able to regain control of the keyring. Cheers, - Jim
Attachment:
pgp_p14M6V2LU.pgp
Description: PGP signature